chrome/app/close_handle_hook_win.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/app/close_handle_hook_win.h"
   6
   7 #include <Windows.h>
   8 #include <psapi.h>
   9
  10 #include <vector>
  11
  12 #include "base/lazy_instance.h"
  13 #include "base/memory/scoped_ptr.h"
  14 #include "base/win/iat_patch_function.h"
  15 #include "base/win/pe_image.h"
  16 #include "base/win/scoped_handle.h"
  17 #include "chrome/common/channel_info.h"
  18 #include "components/version_info/version_info.h"
  19
  20 namespace {
  21
  22 typedef BOOL (WINAPI* CloseHandleType) (HANDLE handle);
  23 CloseHandleType g_close_function = NULL;
  24
  25 // The entry point for CloseHandle interception. This function notifies the
  26 // verifier about the handle that is being closed, and calls the original
  27 // function.
  28 BOOL WINAPI CloseHandleHook(HANDLE handle) {
  29   base::win::OnHandleBeingClosed(handle);
  30   return g_close_function(handle);
  31 }
  32
  33 // Provides a simple way to temporarily change the protection of a memory page.
  34 class AutoProtectMemory {
  35  public:
  36   AutoProtectMemory()
  37       : changed_(false), address_(NULL), bytes_(0), old_protect_(0) {}
  38
  39   ~AutoProtectMemory() {
  40     RevertProtection();
  41   }
  42
  43   // Grants write access to a given memory range.
  44   bool ChangeProtection(void* address, size_t bytes);
  45
  46   // Restores the original page protection.
  47   void RevertProtection();
  48
  49  private:
  50   bool changed_;
  51   void* address_;
  52   size_t bytes_;
  53   DWORD old_protect_;
  54
  55   DISALLOW_COPY_AND_ASSIGN(AutoProtectMemory);
  56 };
  57
  58 bool AutoProtectMemory::ChangeProtection(void* address, size_t bytes) {
  59   DCHECK(!changed_);
  60   DCHECK(address);
  61
  62   // Change the page protection so that we can write.
  63   MEMORY_BASIC_INFORMATION memory_info;
  64   if (!VirtualQuery(address, &memory_info, sizeof(memory_info)))
  65     return false;
  66
  67   DWORD is_executable = (PAGE_EXECUTE | PAGE_EXECUTE_READ |
  68                         PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY) &
  69                         memory_info.Protect;
  70
  71   DWORD protect = is_executable ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;
  72   if (!VirtualProtect(address, bytes, protect, &old_protect_))
  73     return false;
  74
  75   changed_ = true;
  76   address_ = address;
  77   bytes_ = bytes;
  78   return true;
  79 }
  80
  81 void AutoProtectMemory::RevertProtection() {
  82   if (!changed_)
  83     return;
  84
  85   DCHECK(address_);
  86   DCHECK(bytes_);
  87
  88   VirtualProtect(address_, bytes_, old_protect_, &old_protect_);
  89   changed_ = false;
  90   address_ = NULL;
  91   bytes_ = 0;
  92   old_protect_ = 0;
  93 }
  94
  95 // Performs an EAT interception.
  96 void EATPatch(HMODULE module, const char* function_name,
  97               void* new_function, void** old_function) {
  98   if (!module)
  99     return;
 100
 101   base::win::PEImage pe(module);
 102   if (!pe.VerifyMagic())
 103     return;
 104
 105   DWORD* eat_entry = pe.GetExportEntry(function_name);
 106   if (!eat_entry)
 107     return;
 108
 109   if (!(*old_function))
 110     *old_function = pe.RVAToAddr(*eat_entry);
 111
 112   AutoProtectMemory memory;
 113   if (!memory.ChangeProtection(eat_entry, sizeof(DWORD)))
 114     return;
 115
 116   // Perform the patch.
 117 #pragma warning(push)
 118 #pragma warning(disable: 4311)
 119   // These casts generate warnings because they are 32 bit specific.
 120   *eat_entry = reinterpret_cast<DWORD>(new_function) -
 121                reinterpret_cast<DWORD>(module);
 122 #pragma warning(pop)
 123 }
 124
 125 // Keeps track of all the hooks needed to intercept CloseHandle.
 126 class CloseHandleHooks {
 127  public:
 128   CloseHandleHooks() {}
 129   ~CloseHandleHooks() {}
 130
 131   void AddIATPatch(HMODULE module);
 132   void AddEATPatch();
 133   void Unpatch();
 134
 135  private:
 136   std::vector<base::win::IATPatchFunction*> hooks_;
 137   DISALLOW_COPY_AND_ASSIGN(CloseHandleHooks);
 138 };
 139 base::LazyInstance<CloseHandleHooks> g_hooks = LAZY_INSTANCE_INITIALIZER;
 140
 141 void CloseHandleHooks::AddIATPatch(HMODULE module) {
 142   if (!module)
 143     return;
 144
 145   base::win::IATPatchFunction* patch = new base::win::IATPatchFunction;
 146   __try {
 147     // There is no guarantee that |module| is still loaded at this point.
 148     if (patch->PatchFromModule(module, "kernel32.dll", "CloseHandle",
 149                                CloseHandleHook)) {
 150       delete patch;
 151       return;
 152     }
 153   } __except((GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ||
 154               GetExceptionCode() == EXCEPTION_GUARD_PAGE ||
 155               GetExceptionCode() == EXCEPTION_IN_PAGE_ERROR) ?
 156              EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {
 157     // Leak the patch.
 158     return;
 159   }
 160
 161   hooks_.push_back(patch);
 162   if (!g_close_function) {
 163     // Things are probably messed up if each intercepted function points to
 164     // a different place, but we need only one function to call.
 165     g_close_function =
 166       reinterpret_cast<CloseHandleType>(patch->original_function());
 167   }
 168 }
 169
 170 void CloseHandleHooks::AddEATPatch() {
 171   // An attempt to restore the entry on the table at destruction is not safe.
 172   EATPatch(GetModuleHandleA("kernel32.dll"), "CloseHandle",
 173            &CloseHandleHook, reinterpret_cast<void**>(&g_close_function));
 174 }
 175
 176 void CloseHandleHooks::Unpatch() {
 177   for (std::vector<base::win::IATPatchFunction*>::iterator it = hooks_.begin();
 178        it != hooks_.end(); ++it) {
 179     (*it)->Unpatch();
 180     delete *it;
 181   }
 182 }
 183
 184 bool UseHooks() {
 185 #if defined(ARCH_CPU_X86_64)
 186   return false;
 187 #elif defined(NDEBUG)
 188   version_info::Channel channel = chrome::GetChannel();
 189   if (channel == version_info::Channel::CANARY ||
 190       channel == version_info::Channel::DEV ||
 191       channel == version_info::Channel::UNKNOWN) {
 192     return true;
 193   }
 194
 195   return false;
 196 #else  // NDEBUG
 197   return true;
 198 #endif
 199 }
 200
 201 void PatchLoadedModules(CloseHandleHooks* hooks) {
 202   const DWORD kSize = 256;
 203   DWORD returned;
 204   scoped_ptr<HMODULE[]> modules(new HMODULE[kSize]);
 205   if (!EnumProcessModules(GetCurrentProcess(), modules.get(),
 206                           kSize * sizeof(HMODULE), &returned)) {
 207     return;
 208   }
 209   returned /= sizeof(HMODULE);
 210   returned = std::min(kSize, returned);
 211
 212   for (DWORD current = 0; current < returned; current++) {
 213     hooks->AddIATPatch(modules[current]);
 214   }
 215 }
 216
 217 }  // namespace
 218
 219 void InstallCloseHandleHooks() {
 220   if (UseHooks()) {
 221     CloseHandleHooks* hooks = g_hooks.Pointer();
 222
 223     // Performing EAT interception first is safer in the presence of other
 224     // threads attempting to call CloseHandle.
 225     hooks->AddEATPatch();
 226     PatchLoadedModules(hooks);
 227   }
 228 }
 229
 230 void RemoveCloseHandleHooks() {
 231   // We are partching all loaded modules without forcing them to stay in memory,
 232   // removing patches is not safe.
 233 }